What causes AADSTS120008?

Azure AD Connect password writeback is disabled, broken, or the connector account lost its 'Reset Password' / 'Change Password' rights on the on-prem AD OU. The user object is in an unsupported state for SSPR: protected by a Fine-Grained Password Policy, member of a protected group (Domain Admins, Enterprise Admins, etc.), or sits in an OU not in scope of Connect. Password complexity, history, or minimum-age policy on on-prem AD rejects the new password and the async job gives up. Azure AD Connect service is stopped, the sync engine is in an error state, or the writeback endpoint cannot reach the on-prem domain controller (firewall/Service Bus relay blocked). The directory object is corrupt or orphaned (deleted source anchor, duplicate proxyAddresses) so the password change job cannot complete

How do I fix AADSTS120008?

Confirm the failure scope: reproduce SSPR for the affected user at aka.ms/sspr and check Entra ID > Monitoring > Audit logs (category 'Self-service Password Management') for the matching correlation ID and inner error. On the Azure AD Connect server, open the Synchronization Service Manager and check that the 'Password Writeback' feature is enabled and the most recent password-writeback heartbeat is green; restart the ADSync service if it is in an error state. Verify the AD DS Connector account has 'Reset password', 'Change password', 'Write lockoutTime' and 'Write pwdLastSet' permissions on the OU containing the user (re-run Set-ADSyncPasswordWritebackPermissions if unsure). Check whether the user is in a protected group or covered by a Fine-Grained Password Policy — these block writeback by design; remove from scope or exclude from SSPR. Validate the new password against the on-prem domain password policy (length, complexity, history, min-age) and have the user retry; if it still fails, force a full sync (Start-ADSyncSyncCycle -PolicyType Initial) and re-test

Low severityauthentication

Power BI Error:
AADSTS120008

What does this error mean?

A password self-service or sync password change job in Entra ID (Azure AD) ended in a non-retryable terminal state.

Common causes

1Azure AD Connect password writeback is disabled, broken, or the connector account lost its 'Reset Password' / 'Change Password' rights on the on-prem AD OU
2The user object is in an unsupported state for SSPR: protected by a Fine-Grained Password Policy, member of a protected group (Domain Admins, Enterprise Admins, etc.), or sits in an OU not in scope of Connect
3Password complexity, history, or minimum-age policy on on-prem AD rejects the new password and the async job gives up
4Azure AD Connect service is stopped, the sync engine is in an error state, or the writeback endpoint cannot reach the on-prem domain controller (firewall/Service Bus relay blocked)
5The directory object is corrupt or orphaned (deleted source anchor, duplicate proxyAddresses) so the password change job cannot complete

How to fix it

1Confirm the failure scope: reproduce SSPR for the affected user at aka.ms/sspr and check Entra ID > Monitoring > Audit logs (category 'Self-service Password Management') for the matching correlation ID and inner error
2On the Azure AD Connect server, open the Synchronization Service Manager and check that the 'Password Writeback' feature is enabled and the most recent password-writeback heartbeat is green; restart the ADSync service if it is in an error state
3Verify the AD DS Connector account has 'Reset password', 'Change password', 'Write lockoutTime' and 'Write pwdLastSet' permissions on the OU containing the user (re-run Set-ADSyncPasswordWritebackPermissions if unsure)
4Check whether the user is in a protected group or covered by a Fine-Grained Password Policy — these block writeback by design; remove from scope or exclude from SSPR
5Validate the new password against the on-prem domain password policy (length, complexity, history, min-age) and have the user retry; if it still fails, force a full sync (Start-ADSyncSyncCycle -PolicyType Initial) and re-test

Frequently asked questions

What does AADSTS120008 mean?

A non-retryable error has occurred.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes